diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 8ecaf4b83..e266ca3d8 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -37,6 +37,10 @@ #include "polarssl/x509.h" #include "polarssl/error.h" +#if defined(POLARSSL_TIMING_C) +#include "polarssl/timing.h" +#endif + #define DFL_SERVER_NAME "localhost" #define DFL_SERVER_PORT 4433 #define DFL_REQUEST_PAGE "/" @@ -57,6 +61,7 @@ #define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE #define DFL_TRUNC_HMAC 0 #define DFL_RECONNECT 0 +#define DFL_RECO_DELAY 0 #define DFL_TICKETS SSL_SESSION_TICKETS_ENABLED #define LONG_HEADER "User-agent: blah-blah-blah-blah-blah-blah-blah-blah-" \ @@ -97,6 +102,7 @@ struct options unsigned char mfl_code; /* code for maximum fragment length */ int trunc_hmac; /* negotiate truncated hmac or not */ int reconnect; /* attempt to resume session */ + int reco_delay; /* delay in seconds before resuming session */ int tickets; /* enable / disable session tickets */ } opt; @@ -198,6 +204,13 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags ) #define USAGE_MAX_FRAG_LEN "" #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ +#if defined(POLARSSL_TIMING_C) +#define USAGE_TIME \ + " reco_delay=%%d default: 0 seconds\n" +#else +#define USAGE_TIME "" +#endif /* POLARSSL_TIMING_C */ + #define USAGE \ "\n usage: ssl_client2 param=<>...\n" \ "\n acceptable parameters:\n" \ @@ -216,6 +229,7 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags ) " allow_legacy=%%d default: 0 (disabled)\n" \ " renegotiate=%%d default: 0 (disabled)\n" \ " reconnect=%%d default: 0 (disabled)\n" \ + USAGE_TIME \ USAGE_TICKETS \ USAGE_MAX_FRAG_LEN \ USAGE_TRUNC_HMAC \ @@ -320,6 +334,7 @@ int main( int argc, char *argv[] ) opt.mfl_code = DFL_MFL_CODE; opt.trunc_hmac = DFL_TRUNC_HMAC; opt.reconnect = DFL_RECONNECT; + opt.reco_delay = DFL_RECO_DELAY; opt.tickets = DFL_TICKETS; for( i = 1; i < argc; i++ ) @@ -393,6 +408,12 @@ int main( int argc, char *argv[] ) if( opt.reconnect < 0 || opt.reconnect > 2 ) goto usage; } + else if( strcmp( p, "reco_delay" ) == 0 ) + { + opt.reco_delay = atoi( q ); + if( opt.reco_delay < 0 ) + goto usage; + } else if( strcmp( p, "tickets" ) == 0 ) { opt.tickets = atoi( q ); @@ -892,8 +913,10 @@ send_request: { --opt.reconnect; - // printf( " ! Press a key to reconnect\n" ); - // (void) getchar(); +#if defined(POLARSSL_TIMING_C) + if( opt.reco_delay > 0 ) + m_sleep( 1000 * opt.reco_delay ); +#endif printf( " . Reconnecting with saved session..." ); fflush( stdout ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 54ba769b4..a95bcadd2 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -70,6 +70,7 @@ #define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE #define DFL_TICKETS SSL_SESSION_TICKETS_ENABLED #define DFL_CACHE_MAX -1 +#define DFL_CACHE_TIMEOUT -1 #define LONG_RESPONSE "

01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \ "02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \ @@ -112,6 +113,7 @@ struct options unsigned char mfl_code; /* code for maximum fragment length */ int tickets; /* enable / disable session tickets */ int cache_max; /* max number of session cache entries */ + int cache_timeout; /* expiration delay of session cache entries */ } opt; static void my_debug( void *ctx, int level, const char *str ) @@ -166,7 +168,8 @@ static void my_debug( void *ctx, int level, const char *str ) #if defined(POLARSSL_SSL_CACHE_C) #define USAGE_CACHE \ - " cache_max=%%d default: cache default (50)\n" + " cache_max=%%d default: cache default (50)\n" \ + " cache_timeout=%%d default: cache default (1d)\n" #else #define USAGE_CACHE "" #endif /* POLARSSL_SSL_CACHE_C */ @@ -196,6 +199,7 @@ static void my_debug( void *ctx, int level, const char *str ) " allow_legacy=%%d default: 0 (disabled)\n" \ " renegotiate=%%d default: 0 (disabled)\n" \ USAGE_TICKETS \ + USAGE_CACHE \ USAGE_MAX_FRAG_LEN \ "\n" \ " min_version=%%s default: \"ssl3\"\n" \ @@ -317,6 +321,7 @@ int main( int argc, char *argv[] ) opt.mfl_code = DFL_MFL_CODE; opt.tickets = DFL_TICKETS; opt.cache_max = DFL_CACHE_MAX; + opt.cache_timeout = DFL_CACHE_TIMEOUT; for( i = 1; i < argc; i++ ) { @@ -472,6 +477,12 @@ int main( int argc, char *argv[] ) if( opt.cache_max < 0 ) goto usage; } + else if( strcmp( p, "cache_timeout" ) == 0 ) + { + opt.cache_timeout = atoi( q ); + if( opt.cache_timeout < 0 ) + goto usage; + } else goto usage; } @@ -745,6 +756,9 @@ int main( int argc, char *argv[] ) if( opt.cache_max != -1 ) ssl_cache_set_max_entries( &cache, opt.cache_max ); + if( opt.cache_timeout != -1 ) + ssl_cache_set_timeout( &cache, opt.cache_timeout ); + ssl_set_session_cache( &ssl, ssl_cache_get, &cache, ssl_cache_set, &cache ); #endif diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a60248d75..ac38f042f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -27,7 +27,7 @@ run_test() { sleep 1 $CLI_CMD $2 > cli_out CLI_EXIT=$? - echo SERVERQUIT | openssl s_client >/dev/null 2>&1 + echo SERVERQUIT | openssl s_client -no_ticket >/dev/null 2>&1 wait $SRV_PID shift 2 @@ -106,6 +106,11 @@ run_test "Session resume using tickets #1" \ "debug_level=4 tickets=1" \ "debug_level=4 reconnect=1 tickets=1" \ 0 \ + -c "client hello, adding session ticket extension" \ + -s "found session ticket extension" \ + -s "server hello, adding session ticket extension" \ + -c "found session_ticket extension" \ + -c "parse new session ticket" \ -S "session successfully restored from cache" \ -s "session successfully restored from ticket" \ -s "a session has been resumed" \ @@ -115,43 +120,85 @@ run_test "Session resume using tickets #2" \ "debug_level=4 tickets=1 cache_max=0" \ "debug_level=4 reconnect=1 tickets=1" \ 0 \ + -c "client hello, adding session ticket extension" \ + -s "found session ticket extension" \ + -s "server hello, adding session ticket extension" \ + -c "found session_ticket extension" \ + -c "parse new session ticket" \ -S "session successfully restored from cache" \ -s "session successfully restored from ticket" \ -s "a session has been resumed" \ -c "a session has been resumed" -# Test for Session Resume based on session-ID and cache +# Tests for Session Resume based on session-ID and cache -run_test "Session resume using cache #1" \ +run_test "Session resume using cache #1 (tickets enabled on client)" \ "debug_level=4 tickets=0" \ - "debug_level=4 reconnect=1 tickets=1" \ + "debug_level=4 tickets=1 reconnect=1" \ 0 \ + -c "client hello, adding session ticket extension" \ + -s "found session ticket extension" \ + -S "server hello, adding session ticket extension" \ + -C "found session_ticket extension" \ + -C "parse new session ticket" \ -s "session successfully restored from cache" \ -S "session successfully restored from ticket" \ -s "a session has been resumed" \ -c "a session has been resumed" -run_test "Session resume using cache #2" \ +run_test "Session resume using cache #2 (tickets enabled on server)" \ "debug_level=4 tickets=1" \ - "debug_level=4 reconnect=1 tickets=0" \ + "debug_level=4 tickets=0 reconnect=1" \ 0 \ + -C "client hello, adding session ticket extension" \ + -S "found session ticket extension" \ + -S "server hello, adding session ticket extension" \ + -C "found session_ticket extension" \ + -C "parse new session ticket" \ -s "session successfully restored from cache" \ -S "session successfully restored from ticket" \ -s "a session has been resumed" \ -c "a session has been resumed" -run_test "Session resume using cache #3" \ +run_test "Session resume using cache #3 (cache_max=0)" \ "debug_level=4 tickets=0 cache_max=0" \ - "debug_level=4 reconnect=1 tickets=0" \ + "debug_level=4 tickets=0 reconnect=1" \ 0 \ -S "session successfully restored from cache" \ -S "session successfully restored from ticket" \ - -s "no session has been resumed" \ - -c "no session has been resumed" + -S "a session has been resumed" \ + -C "a session has been resumed" -run_test "Session resume using cache #4" \ - "debug_level=4 tickets=1 cache_max=1" \ - "debug_level=4 reconnect=1 tickets=0" \ +run_test "Session resume using cache #4 (cache_max=1)" \ + "debug_level=4 tickets=0 cache_max=1" \ + "debug_level=4 tickets=0 reconnect=1" \ + 0 \ + -s "session successfully restored from cache" \ + -S "session successfully restored from ticket" \ + -s "a session has been resumed" \ + -c "a session has been resumed" + +run_test "Session resume using cache #5 (timemout > delay)" \ + "debug_level=4 tickets=0 cache_timeout=1" \ + "debug_level=4 tickets=0 reconnect=1 reco_delay=0" \ + 0 \ + -s "session successfully restored from cache" \ + -S "session successfully restored from ticket" \ + -s "a session has been resumed" \ + -c "a session has been resumed" + +run_test "Session resume using cache #6 (timeout < delay)" \ + "debug_level=4 tickets=0 cache_timeout=1" \ + "debug_level=4 tickets=0 reconnect=1 reco_delay=2" \ + 0 \ + -S "session successfully restored from cache" \ + -S "session successfully restored from ticket" \ + -S "a session has been resumed" \ + -C "a session has been resumed" + +run_test "Session resume using cache #7 (no timeout)" \ + "debug_level=4 tickets=0 cache_timeout=0" \ + "debug_level=4 tickets=0 reconnect=1 reco_delay=2" \ 0 \ -s "session successfully restored from cache" \ -S "session successfully restored from ticket" \